SEC, NAIC Assess Guidelines for SOX Compliance

Over the past three years, publicly held companies in the insurance industry have become painfully familiar with the stringent requirements of the Sarbanes-Oxley (SOX) corporate governance law.A senior-level executive with Chicago-based global brokerage firm Aon Inc., confirmed that the company's audit fees skyrocketed 53%, from $10 million in 2003 to $15.3 million in 2004. And, with annual revenue of $800 million and income of approximately $73 million, RLI Corp., a Peoria, Ill.-based specialty insurer, absorbed Section 404 compliance costs last year of $1.9 million.

Due to Sarbanes-Oxley's impact on corporate America, it's not surprising that federal regulators are in the process of reassessing the law's requirements.

Amid complaints voiced by a growing number of corporations that SOX regulations are too burdensome, a new philosophy is emerging.

Federal regulators have issued guidelines that might provide companies and accounting firms with a greater degree of leeway in complying with key provisions of the regulation.

The Securities and Exchange Commission (SEC) and Public Company Accounting Oversight Board in May issued companion statements on compliance to Section 404 of SOX, which governs management assessment of internal controls.

In these statements, the two regulatory agencies said that compliance to Section 404 should reflect the nature and size of the company to which they relate, and should be tailored to the operations of smaller companies.

In its statement, the SEC stressed that it's "the responsibility of management to determine the form and level of controls appropriate for each company and to scope their assessment . . . accordingly."

In the meantime, accounting firms that audit companies' internal controls "should recognize that there is a zone of reasonable conduct by companies that should be recognized as acceptable," according to the SEC.

With the specter of burdensome costs hovering, insurance groups hailed the SEC announcement as a positive first step to clarifying and streamlining the internal control reporting process.

In fact, the timing of SEC's announcement was fortuitous, according to industry sources. It could help shape the National Association of Insurance Commissioners' (NAIC) formulation of a Section 404 compliance framework for state insurance regulators and legislators to consider adopting for all insurance companies, including mutual companies.

The NAIC, headquartered in Kansas City, Mo., is presently studying Section 404 requirements, and hopes to make a final recommendation by the end of the year, according to Douglas Stolte, deputy commissioner for Virginia's Department of Insurance, and chairman of the NAIC working group for SOX.

The NAIC working group has already finalized its recommendations for SOX Title II (independent auditing) and Title III (corporate responsibility) compliance.

The NAIC is studying many nuances of Section 404-and the effects they'll have on insurers. One of the most controversial areas, for example, is cost of external audits, especially for small carriers. A possible recommendation: providing a grace period for completing external audits based on a firm's size.

Undoubtedly, the external audit piece to SOX has been a difficult challenge. For example, a survey released in March of 217 companies (with revenues of at least $5 billion) by Financial Executives International, Florham Park, N.J., indicated that one-year costs for Section 404 compliance averaged more than $4.3 million per company.

Whatever happens with the NAIC's final recommendations, Stolte advises insurers to manage their actions by "design" rather than by "crisis."